The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI provides a secure boot protocol, which can secure the boot process by preventing the loading of firmware drivers and operating system (OS) loaders (also known as boot loaders) that are not signed with an acceptable digital signature. If secure boot is enabled, then only UEFI applications (e.g., firmware drivers and boot loaders) signed by a particular platform key can be loaded by firmware.
In order for a UEFI application (firmware driver or boot loader) to run on a computing device that has secure boot enabled, a developer of that UEFI application submits the UEFI application to a UEFI certificate authority (CA), which signs the UEFI application if it meets security standards (e.g., is not malware). The UEFI CA has a private key associated with the particular platform key used to verify the signature. However, the UEFI certificate authority typically signs only firmware drivers and boot loaders. Accordingly, the UEFI secure boot mechanism is not traditionally extendable to additional applications or drivers (e.g., to software drivers, an OS kernel, OS packages, third party applications, and so forth). As a result, the trusted platform key stored in hardware and/or firmware on a computing device is not traditionally usable to verify most data of an operating system.